b"                                                           Issue Date\n                                                                    September 8, 2008\n                                                           Audit Report Number\n                                                                        2008-KC-0006\n\n\n\n\nTO:        Brian D. Montgomery, Assistant Secretary for Housing \xe2\x80\x93 Federal Housing\n              Commissioner, H\n\n           //signed//\nFROM:      Ronald J. Hosking, Regional Inspector General for Audit, 7AGA\n\nSUBJECT: HUD\xe2\x80\x99s Office of Single Family Housing Had Not Fully Implemented an\n           Internal Control Structure in Accordance with Requirements\n\n\n\n                                HIGHLIGHTS\n\n What We Audited and Why\n\n             We audited the U.S. Department of Housing and Urban Development\xe2\x80\x99s\n             (HUD) Office of Single Family Housing (Single Family). This review\n             was performed due to concerns over the expected increase in Federal\n             Housing Administration (FHA)-insured loans generated by newly\n             implemented and proposed FHA programs. The objective of our audit\n             was to determine whether Single Family had implemented an internal\n             control structure in accordance with Government Accountability Office\n             (GAO) internal control standards and HUD requirements.\n\n What We Found\n\n             Single Family had not fully implemented an internal control structure in\n             accordance with GAO internal control standards and HUD requirements.\n             Specifically, it did not (1) perform a formal, systematic annual risk\n             assessment of its programs and administrative functions, (2) plan and\n             conduct ongoing management control reviews or alternative management\n             control reviews of its programs, (3) establish an overall strategy regarding\n             its risk-based monitoring of program activities and participants, or (4)\n\x0c           identify corrective actions required to improve its management controls in\n           a timely manner.\n\n           Recent events in the housing industry have driven significant increases in\n           Single Family\xe2\x80\x99s responsibilities and associated risks regarding its FHA\n           mortgage insurance program. HUD reports show that in the past year,\n           FHA endorsements have increased by nearly 86 percent. Given the\n           increasing business that Single Family currently experiences and will\n           likely continue to experience, it is imperative that Single Family quickly\n           implement an effective internal control structure to help it ensure that its\n           programs, activities, and functions operate efficiently and effectively.\n           Such action is critical to ensure the lasting integrity of the FHA insurance\n           fund.\n\nWhat We Recommend\n\n\n           We recommend that HUD ensure that Single Family managers and staff\n           fully implement an acceptable internal control structure by preparing and\n           implementing effective written policies and procedures that comply with\n           the GAO internal control standards and HUD Handbook 1840.1\n           requirements.\n\n           For each recommendation without a management decision, please respond\n           and provide status reports in accordance with HUD Handbook 2000.06,\n           REV-3. Please furnish us copies of any correspondence or directives\n           issued because of the audit.\n\nAuditee\xe2\x80\x99s Response\n\n           We provided the draft report to Single Family officials on July 21, 2008,\n           and initially requested their response by August 20, 2008. We extended\n           the response due date to August 29, 2008, when we provided a revised\n           draft to the officials. Based on a subsequent request from Single Family,\n           we granted an additional extension to September 2, 2008. We received the\n           written response on September 2, 2008.\n\n           Single Family officials reiterated information that they had provided\n           during the audit and agreed to take actions to address our recommendation\n           to fully implement an acceptable internal control structure.\n\n           The complete text of the auditee\xe2\x80\x99s response, along with our evaluation of\n           that response, can be found in appendix A of this report.\n\n\n\n\n                                         2\n\x0c                        TABLE OF CONTENTS\n\n\nBackground and Objectives                                                    4\n\n\nResults of Audit\n      Finding: Single Family Had Not Fully Implemented an Internal Control\n                Structure in Accordance with Requirements\n                                                                             6\n\n\nScope and Methodology                                                        16\n\n\nInternal Controls                                                            17\n\nAppendixes\n   A. Auditee Comments and OIG\xe2\x80\x99s Evaluation                                  19\n\n\n\n\n                                        3\n\x0c                 BACKGROUND AND OBJECTIVES\n\nThe U.S. Department of Housing and Urban Development\xe2\x80\x99s (HUD) Office of Single\nFamily Housing (Single Family) is responsible for the overall management, policy\ndirection, and administration of all single-family programs authorized under Titles I and\nII of the National Housing Act of 1934. One of its major responsibilities is to manage the\nFederal Housing Administration (FHA) insurance program. FHA is one of the largest\ninsurers of mortgages in the world, having insured more than 34 million mortgages since\nits inception in 1934.\n\nIn 1994, the Government Accountability Office (GAO) first identified Single Family\xe2\x80\x99s\nmortgage insurance program as high risk. In January 2007, GAO removed Single Family\nfrom the high-risk list. GAO stated that HUD had demonstrated commitment to and\nprogress in addressing weaknesses in the single-family mortgage insurance program.\nSpecifically, HUD had improved its oversight of lenders and appraisers, and issued or\nproposed regulations to strengthen lender accountability and combat predatory lending\npractices. However, GAO also cautioned that HUD's corrective actions were in the early\nstages of implementation and additional steps were needed to resolve ongoing problems.\nIn addition, it pointed out that HUD continued to grant loan underwriting authority to\nlenders that had not met the agency's performance standards. It also pointed out\nweaknesses in HUD's process for paying single-family property management contractors\nmade the agency vulnerable to questionable and potentially fraudulent payments.\n\nGAO stressed that Single Family needed to continue to place a high priority on efficient\nand effective management of its programs and pointed out that proposed program\nchanges could introduce new risks and oversight challenges. Specifically, Single Family\nhad proposed changes to its mortgage insurance program that would increase the size of\nthe mortgages that FHA could insure, give HUD flexibility to set insurance premiums\nbased on the credit risk of borrowers, and reduce downpayment requirements from the\ncurrent 3 percent to as low as zero percent. In addition, HUD had seen a dramatic\nincrease in FHA-insured home equity conversion (also known as \xe2\x80\x9creverse\xe2\x80\x9d) mortgages.\nGAO concluded that as a result of this increase, Single Family would be challenged to\ndevelop adequate systems to account for these loans.\n\nGAO\xe2\x80\x99s Standards for Internal Control in Federal Government provide the overall\nframework for establishing and maintaining internal control (management control) and\nfor identifying and addressing major performance and management challenges and areas\nat greatest risk of fraud, waste, abuse, and mismanagement. GAO includes five standards\nfor internal control that define the minimum level of quality acceptable for internal\ncontrol in government and provide the basis against which internal control is to be\nevaluated: control environment, risk assessment, control activities, information and\ncommunication, and monitoring.\n\nHUD Handbook 1840.1, REV-3, dated February 1999, establishes HUD\xe2\x80\x99s internal\ncontrol program to ensure compliance with federal requirements related to internal\n\n\n                                            4\n\x0ccontrols. The handbook details the roles and responsibilities of individual program\noffices with respect to the internal controls over HUD programs and administrative\nfunctions. The handbook also details processes that each program office must follow to\nestablish and maintain a cost-effective system of internal controls that provides\nreasonable assurance that programs and activities are effectively and efficiently managed\nand protects against fraud, waste, abuse, and mismanagement.\n\nOur audit objective was to determine whether Single Family had implemented a control\nstructure that met GAO internal control standards and HUD Handbook 1840.1\nrequirements.\n\n\n\n\n                                            5\n\x0c                             RESULTS OF AUDIT\n\nFinding: Single Family Had Not Fully Implemented an Internal\n            Control Structure in Accordance with Requirements\nSingle Family had not fully implemented an internal control structure in accordance with\nGAO internal control standards and HUD requirements. Single Family developed what it\nbelieved to be an acceptable alternative internal control process. As a result, Single\nFamily lacked assurance that its programs, activities, and functions operated efficiently\nand effectively. The lack of an acceptable internal control structure also increased the\nrisk of fraud, waste, and abuse in Single Family\xe2\x80\x99s new, anticipated, and existing\nprograms.\n\n\nSingle Family had not fully implemented an internal control structure that met GAO internal\ncontrol standards and the requirements in HUD Handbook 1840.1, Departmental\nManagement Control Program. Specifically, it did not (1) perform a formal, systematic\nannual risk assessment of its programs and administrative functions, (2) plan and conduct\nongoing management control reviews or alternative management control reviews of its\nprograms, (3) establish an overall strategy regarding its risk-based monitoring of program\nactivities and participants, or (4) identify corrective actions required to improve its\nmanagement controls in a timely manner.\n\nSince 1983, GAO has provided minimum standards for internal control in government. The\n1982 Federal Manager\xe2\x80\x99s Financial Integrity Act (the Act) required agency heads to establish\na continuous process for assessing and improving their agencies\xe2\x80\x99 internal controls and to\nannually report on the status of their efforts. The Act also required GAO to issue internal\ncontrol standards that agencies must follow. GAO issued these standards in 1983. In later\nyears, the U.S. Congress passed additional legislation that increased the emphasis on\ninternal controls. GAO most recently revised the internal control standards in 1999.\n\nThe internal control standards provide the overall framework for establishing and\nmaintaining internal control and for identifying and addressing major performance and\nmanagement challenges and areas at greatest risk of fraud, waste, abuse, and\nmismanagement. To meet these federal internal control requirements, HUD issued\nHandbook 1840.1. The handbook establishes a systematic process that includes specific\nroles and responsibilities for all HUD managers. It provides policies, procedures, and\nguidance for carrying out an effective internal control process for all HUD programs and\nactivities.\n\nSingle Family\xe2\x80\x99s responsibilities and associated risks regarding its FHA mortgage insurance\nprogram have recently increased, making it critical that Single Family quickly implement an\neffective internal control structure. According to HUD, FHA endorsements have increased\n\n\n\n                                             6\n\x0cby nearly 86 percent in the past year. FHA\xe2\x80\x99s business will likely continue to increase due to\nchanges in the housing industry, implementation of new FHA-related programs, and\nchanges in existing programs. Therefore, Single Family needs to have an effective internal\ncontrol structure in place to help it ensure that its programs, activities, and functions operate\nefficiently and effectively.\n\n Formal, Systematic Annual\n Risk Assessment Process Not\n Performed\n\n\n                Single Family did not perform a formal, systematic annual risk assessment\n                of all of its programs and administrative functions. A risk assessment is\n                the identification and analysis of relevant risks associated with achieving\n                objectives and forming a basis for determining how risks should be\n                managed. HUD Handbook 1840.1 explains that key aspects of risk\n                assessment include analyses of the general control environment and\n                inherent risks and an evaluation of the adequacy of existing controls. The\n                handbook also states that HUD managers should assign individual\n                programs and administrative functions an annual risk rating of low,\n                medium, or high, using the HUD risk assessment worksheet. HUD\n                managers are to use the risk ratings as part of their overall risk assessment\n                of agency controls and to provide senior officials with information for\n                reporting on agency controls as required by the Act.\n\n                Further, the handbook states that managers should develop and maintain\n                adequate written documentation of each risk analysis and risk rating they\n                have conducted on their programs and functions. The handbook points out\n                that this information would be useful for reviewing the validity of\n                conclusions reached and performing subsequent assessments and reviews.\n\n                Single Family officials were not able to provide documentation to show\n                that they had completed HUD\xe2\x80\x99s annual risk assessment requirements.\n                Single Family certified to HUD\xe2\x80\x99s Office of the Chief Financial Officer in\n                fiscal years 2006 and 2007 that it evaluated the adequacy of its internal\n                controls and used the risk management worksheet for program and\n                administrative functions to guide its evaluation. However, Single Family\n                officials stated that they did not complete the risk management worksheet\n                in either fiscal year 2006 or 2007, nor could they provide evidence of any\n                other form of annual risk assessment of Single Family\xe2\x80\x99s programs and\n                functions.\n\n\n\n\n                                                7\n\x0cManagement Control Reviews\nNot Performed\n\n          Single Family did not plan and conduct ongoing management control\n          reviews or alternative management control reviews. HUD Handbook\n          1840.1 states that managers must plan and conduct ongoing evaluations of\n          internal (management) controls to ensure that the controls remain effective\n          and efficient and function as intended. The handbook identifies two basic\n          types of evaluations: management control reviews and alternative\n          management control reviews. Management control reviews are\n          comprehensive and detailed reviews of operations in a functional area.\n          Alternative reviews are evaluations of the control techniques in a\n          functional area using a more limited scope methodology than the\n          management control reviews. The purpose of these reviews is to evaluate\n          a program, system, accounting function, or administrative activity to\n          determine whether adequate control techniques exist and to identify\n          material or other weaknesses in internal controls.\n\n          Single Family could not provide any management control reviews from\n          fiscal years 2006 and 2007. For this same period, Single Family provided\n          only two reviews that it considered to be alternative management control\n          reviews. However, one of the reviews did not qualify as an alternative\n          management control review, and Single Family had not completed all\n          requirements for the other review.\n\n             \xe2\x80\xa2   One review did not meet the objective of an alternative\n                 management control review. The study addressed whether a\n                 statistical correlation existed between lenders\xe2\x80\x99 default and claims\n                 rates and the acceptability of lenders\xe2\x80\x99 underwriting and loan\n                 documentation on insured loans. The study was not intended to\n                 evaluate and address identified internal control weaknesses, as is\n                 the intent of alternative management control reviews.\n\n             \xe2\x80\xa2   The second review generally addressed the intent of alternative\n                 management control reviews but did not identify all required\n                 elements. The review focused on assessing and improving a\n                 process, and it documented the type and scope of the review,\n                 Single Family\xe2\x80\x99s findings, and a future corrective action. However,\n                 the review did not identify the responsible official, nor did it\n                 include a detailed description of the process used in testing the\n                 systems.\n\n\n\n\n                                       8\n\x0cOverall Risk-Based Monitoring\nStrategy Not Established\n\n\n           Single Family did not establish an overall strategy regarding its risk-based\n           monitoring of program activities and participants. HUD Handbook 1840.1\n           requires program office directors to develop specific risk-based\n           monitoring strategies, including risk-based rating systems for program\n           participants. The handbook emphasizes that because conditions change\n           over time, management needs to determine whether internal controls\n           continue to effectively address new or changed risks. Risk-based\n           monitoring is a strategy for identifying program activities and participants\n           that represent the greatest risk and are the most susceptible to fraud, waste,\n           and mismanagement and targeting management attention and resources to\n           those activities and participants. The overall objective of the risk-based\n           monitoring process is to allocate a larger share of monitoring resources to\n           program functions posing the highest risk.\n\n           Recent Office of Inspector General (OIG) and private contractor reports\n           have identified areas in which Single Family could strengthen internal\n           controls or needs to implement or improve controls to avoid material\n           weaknesses. Single Family may have had a better opportunity to identify\n           these internal control issues by practicing risk-based monitoring.\n\n           For example, OIG recently reported a need for Single Family to strengthen\n           its monitoring of HUD\xe2\x80\x99s homeownership centers (OIG report #2008-KC-\n           0001, issued January 2008). The homeownership centers are tasked with\n           ensuring that FHA-approved lenders comply with HUD lending\n           requirements and resolving deficiencies identified. The homeownership\n           centers did not always resolve materially deficient and potentially\n           fraudulent loans consistently.\n\n           In another example, a private contractor recently reported similar\n           problems in its front-end risk assessment of Single Family\xe2\x80\x99s lender\n           insurance program. In its June 2007 report, the contractor rated the Single\n           Family lender insurance program\xe2\x80\x99s organizational structure as\n           unsatisfactory. The contractor identified the lack of centralized\n           monitoring of HUD\xe2\x80\x99s homeownership centers\xe2\x80\x99 compliance activities as\n           one of the reasons for the unsatisfactory rating. It also noted that although\n           the homeownership centers had responsibility for ensuring lender\n           compliance, there was a lack of ongoing monitoring of the\n           homeownership centers\xe2\x80\x99 activities to ensure that they performed their\n           compliance duties. For example, Single Family did not employ\n           centralized monitoring of the removal of nonperforming lenders to ensure\n           that they were not inadvertently allowed to remain in the program.\n\n\n\n                                         9\n\x0c             In another recent report, OIG\xe2\x80\x99s contracted independent auditors identified\n             other problems that occurred, in part, due to the lack of risk-based\n             monitoring. The independent auditor\xe2\x80\x99s report on FHA\xe2\x80\x99s fiscal year 2007\n             financial statements (OIG report #2008-FO-0002, issued November 2007)\n             identified two material weaknesses related to home equity conversion\n             mortgages (reverse mortgages), caused in part by\n\n                 \xe2\x80\xa2   A lack of a comprehensive, documented, program-level risk\n                     assessment;\n                 \xe2\x80\xa2   A lack of an effective process to document FHA\xe2\x80\x99s conclusions\n                     regarding results of its validation review; and\n                 \xe2\x80\xa2   A lack of employee understanding of system security\n                     responsibilities due to an ineffective organizational authority and\n                     insufficient staff resources.\n\n             The report also noted that most of the control weaknesses were specific to\n             the reverse mortgage program; however, the weaknesses may indicate\n             systemic problems within FHA due to the level of inadequate risk\n             assessments and lack of documentation within this program.\n\n             Single Family should have employed an overall risk-based monitoring\n             strategy to help ensure that (1) homeownership centers resolved loan\n             deficiencies consistently; (2) nonperforming lenders were not\n             inadvertently allowed to remain in the lender insurance program; and (3)\n             the reverse mortgage program operated efficiently and effectively,\n             particularly since this program had dramatically increased in loan volume\n             in recent years.\n\nUnsatisfactory Ratings and\nCorrective Actions Not\nProvided to Responsible\nOfficials in a Timely Manner\n\n             Single Family did not notify responsible officials of significant problems\n             identified by a private contractor, nor did it provide the officials with\n             corrective action plans in a timely manner. GAO standards for internal\n             control emphasize that deficiencies identified during ongoing monitoring\n             or through separate evaluations should be communicated to the individual\n             responsible for the function and also to at least one level of management\n             above that individual. Also, serious matters should be reported to top\n             management. HUD Handbook 1840.1 states that management is\n             responsible for the timely identification of corrective actions required to\n             improve management controls. For material weaknesses, corrective action\n             plans are to be submitted to the Chief Financial Officer within 60 calendar\n             days of the final determination of the weakness. For weaknesses not\n\n\n                                          10\n\x0c             deemed material but significant and requiring corrective actions, plans\n             should be submitted to the Chief Financial Officer within 60 days from\n             identification of the weakness.\n\n             The private contractor that conducted the front-end risk assessment of the\n             lender insurance program, as described previously, reported its findings to\n             Single Family in June 2007. In addition to rating the Single Family lender\n             insurance program\xe2\x80\x99s organizational structure as unsatisfactory, the\n             contractor reported a lack of single point decision-making authority and\n             accountability to facilitate faster decision making. Accordingly, Single\n             Family managers were slow in implementing specific guidance and\n             procedures affecting the lender insurance program.\n\n             As of February 2008, Single Family had not briefed the primary\n             organization head on the results of the contractor\xe2\x80\x99s review, nor had it\n             provided a corrective action plan to address the weaknesses identified in\n             the review. Given the importance of the lender oversight function\n             performed by the homeownership centers, Single Family should have\n             promptly notified officials responsible for overseeing its operations,\n             including the primary organization head, of the deficiencies and provided\n             them with corrective action plans.\n\nManagers Used Alternative\nProcess They Believed Was\nAcceptable\n\n             Single Family developed what it believed to be an acceptable alternative\n             internal control process. Also, in an effort to improve its internal control\n             process, Single Family hired a contractor in October 2007 to develop an\n             internal quality control policies and procedures manual. Single Family\n             expected that the contractor would help it better address its internal control\n             assessment and implementation needs.\n\n             Handbook 1840.1 directs managers at all levels to identify all risks that\n             may prevent accomplishing program goals and objectives, assess the\n             severity of the risks, implement policies and procedures for controlling the\n             risks, allocate available program resources to effectively manage the risks\n             in a timely manner, and provide objective and timely reporting on the\n             status of the risks. In addition, managers must evaluate, on a regular basis,\n             the effectiveness of controls in their operations. The handbook also states\n             that while various methods may be used to evaluate controls, careful\n             planning, execution, documentation, and reporting are required. The\n             handbook provides a methodology for managers to\n\n\n\n\n                                          11\n\x0c   \xe2\x80\xa2   Systematically assess the susceptibility of their program or activity\n       to the risk of fraud, waste, abuse, or mismanagement;\n   \xe2\x80\xa2   Conduct evaluations of the effectiveness of their management\n       controls;\n   \xe2\x80\xa2   Identify actions and resources needed to correct weaknesses;\n   \xe2\x80\xa2   Maintain quality control over the program; and\n   \xe2\x80\xa2   Provide an early warning capability to alert senior management of\n       potential or emerging problems.\n\nSingle Family managers asserted that although they did not strictly adhere\nto the systematic methodology in handbook 1840.1, they conducted\nmultiple activities and used various tools that they believed were sufficient\nto constitute an acceptable internal control structure. Throughout the\naudit, we requested that Single Family provide documentation and\nexplanations of what it considered elements of its alternative internal\ncontrol process. This report recognizes and evaluates the information\nprovided during the audit.\n\nFor example, Single Family periodically conducted strategic planning\nsessions, which served as brainstorming sessions to discuss operational\nneeds, expected outcomes, staffing assignments to address the needs,\ntarget dates, and status updates. However, the strategic planning\ndocuments did not demonstrate that the tasks discussed were based on\nformal risk assessments or management control reviews.\n\nSingle Family managers also stated that Single Family\xe2\x80\x99s homeownership\ncenters monitored lenders to ensure that they complied with HUD lending\nrequirements and used automated tools such as the Neighborhood Watch\nEarly Warning system and the Credit Watch Termination system in their\nmonitoring efforts. Neighborhood Watch provides loan performance data\nfor lenders and appraisers, by loan types and geographic areas, using\nFHA-insured single-family loan information. Credit Watch identifies\nlenders that have originated or sponsored poorly performing loans (i.e.,\nhigh default and claim rates).\n\nWhile Single Family had various tools with which to conduct its business,\nthese and other operational tools did not substitute for fully implementing\nan efficient and effective, comprehensive internal control structure. Single\nFamily\xe2\x80\x99s daily functions and tools did not constitute a formal, systematic\nprocess for assessing its entire internal control environment, nor did the\ndaily functions and tools serve to validate internal control and operational\ndecisions made by Single Family.\n\nSingle Family hired a private contractor in October 2007 to develop an\ninternal quality control policies and procedures manual. The intended\npurpose of the manual was to validate risk management priorities\n\n\n                             12\n\x0c            identified by Single Family and to serve as a management tool to ensure\n            that Single Family appropriately addressed areas of material risk.\n\n            As stated in the contract, the manual was expected to provide guidance to\n            headquarters and homeownership center staff to address, minimize, and\n            mitigate the impact of any issues that constitute financial or programmatic\n            material risks, through regular monitoring, reporting, oversight, and\n            appropriate follow-up. The manual was intended to assist Single Family\n            in implementing a uniform set of policies, procedures, and practices to be\n            consistently followed at HUD headquarters and the homeownership center\n            levels and which would provide a seamless process for identifying,\n            monitoring and overseeing material risk management issues in all program\n            areas. Further, the contractor was to provide an internal quality control\n            plan to enhance the level of consistency in the application of risk\n            management standards governing the execution of program activities.\n\n            As of the end of our review, the first contract deliverables were not yet\n            due; therefore, we were unable to evaluate the contractor\xe2\x80\x99s work.\n            However, the contractor\xe2\x80\x99s project plan seemed to focus on a list of high-\n            risk priority areas identified by Single Family managers, rather than all\n            programs, activities, and functions. In addition, the project plan and\n            related documents did not explain how Single Family identified the high-\n            priority areas, nor did Single Family provide us with an explanation of or\n            documentation showing how it identified these areas.\n\nSingle Family Responsibilities\nIncreasing and FHA Program\nGrowing, Increasing Risks\n\n            Recent events in the housing industry have driven increases in Single\n            Family responsibilities and associated risks with its FHA mortgage\n            insurance program. HUD reports showed that in the past year, FHA\n            endorsements have increased by nearly 86 percent.\n\n            One reason for the increase was the newly implemented FHASecure\n            program. Under the program, borrowers can refinance their non-FHA\n            fixed or adjustable rate loans into FHA loans if they meet certain\n            eligibility criteria. In April 2008, HUD reported that since it began the\n            FHASecure program in August 2007 it had facilitated more than 150,000\n            homeowners to refinance their mortgages and estimated that it would\n            likely facilitate loans for 500,000 families by the end of calendar year\n            2008. FHA\xe2\x80\x99s business had also increased due to increases in home equity\n            conversion (reverse) mortgages. FHA endorsed more than 43,000 reverse\n            mortgages in fiscal year 2005. During fiscal year 2007, FHA endorsed\n\n\n\n\n                                         13\n\x0c            about 108,000 reverse mortgages, an increase of approximately 150\n            percent.\n\n            In addition, the Congress recently increased the maximum mortgage\n            amount that FHA can insure, allowing it to insure more, higher-value\n            mortgages. For most single-family homes, HUD raised the maximum\n            mortgage limit by 35 percent, from about $200,000 in low-cost areas to\n            more than $270,000, and by more than 100 percent in high-cost areas,\n            from more than $360,000 to nearly $730,000. Further, the Congress\n            recently passed legislation that created a new FHA program to help at-risk\n            borrowers. Under the program, FHA could insure up to$300 billion in\n            new, less costly mortgages for homeowners who otherwise would not\n            likely qualify for government-insured loans.\n\n            In summary, Single Family\xe2\x80\x99s responsibilities and associated risks are\n            rapidly and greatly increasing due to changes in the housing industry,\n            implementation of new FHA-related programs, and changes in existing\n            programs. These changes make it imperative for Single Family to quickly\n            implement a comprehensive and effective internal control structure that\n            meets GAO and HUD requirements.\n\nIncreased Risks Due to Lack of\nFully Implemented Internal\nControl Structure\n\n            Without a fully implemented internal control structure, Single Family\n            lacked assurance that its programs, activities, and functions operated\n            efficiently and effectively or would do so in the future. This condition\n            increased the risk of fraud, waste, and abuse in its new, anticipated, and\n            existing programs.\n\n            As GAO stresses, a key factor in helping to achieve agencies\xe2\x80\x99 missions\n            and program results and to minimize operational problems is to implement\n            appropriate internal controls. Effective internal controls also help in\n            managing change to cope with shifting environments and evolving\n            demands and priorities. As programs change and as agencies strive to\n            improve operational processes, management must continually assess and\n            evaluate its internal controls to ensure that the control activities used are\n            effective and updated when necessary.\n\n            In summary, internal controls serve as the first line of defense in\n            safeguarding assets and preventing and detecting errors and fraud. Single\n            Family has implemented new programs in recent months, is likely to be\n            tasked with additional new programs in the near future, and has made\n            changes to existing programs. Having an acceptable and fully functioning\n\n\n\n                                         14\n\x0c          internal control structure that meets GAO and HUD requirements is\n          central to Single Family\xe2\x80\x99s ability to ensure its accountability within\n          HUD\xe2\x80\x99s overall control structure.\n\nRecommendation\n\n\n          We recommend that HUD\xe2\x80\x99s Assistant Secretary for Housing\n\n          1A. Ensure that Single Family managers and staff fully implement an\n              acceptable internal control structure by preparing and implementing\n              effective written policies and procedures that comply with GAO\n              internal control standards and HUD Handbook 1840.1 requirements.\n\n\n\n\n                                       15\n\x0c                  SCOPE AND METHODOLOGY\n\nOur review covered the period October 2005 through September 2007 and was expanded\nas necessary. To accomplish our objective, we reviewed GAO\xe2\x80\x99s Standards for Internal\nControls and HUD Handbook 1840.1, Departmental Management Control Program, to\nidentify actions that Single Family must perform and document to comply with HUD\xe2\x80\x99s\ninternal control process.\n\nWe interviewed staff from HUD\xe2\x80\x99s Office of the Chief Financial Officer, Office of\nHousing (Housing), and Single Family to gain an understanding of their internal control\nstructure. We also interviewed Housing and Single Family officials regarding their\nprocesses for\n     \xe2\x80\xa2 Annually assessing Single Family internal controls,\n     \xe2\x80\xa2 Completing management control reviews and front-end risk assessments, and\n     \xe2\x80\xa2 Implementing corrective actions and risk-based monitoring strategies.\n\nIn addition, we requested that Single Family provide documentation to support its\n\n    \xe2\x80\xa2   Completion of the annual risk assessment of its internal controls, any\n        management control reviews or alternative management control reviews\n        performed, and any front-end risk assessments performed during fiscal years\n        2006 and 2007;\n\n    \xe2\x80\xa2   Corrective action process for resolving HUD OIG report recommendations and\n        recommendations resulting from internal evaluations of its controls; and\n\n    \xe2\x80\xa2   Overall risk-based monitoring strategy for its three divisions (Office of Single\n        Family Program Development, Office of Single Family Asset Management, and\n        Office of Lender Activities and Program Compliance).\n\nWe reviewed GAO and HUD OIG reports to determine whether either entity had\npreviously identified noncompliance with internal control standards or HUD Handbook\n1840.1. We also reviewed Single Family internal reports, contractor reports, HUD\xe2\x80\x99s\n2006 and 2007 performance and accountability reports, business cycle memorandums,\nand FHA\xe2\x80\x99s fiscal year 2007 financial statements audit.\n\nWe performed on-site work from October 2007 to March 2008 at HUD headquarters\nlocated at 451 7th Street, SW, Washington, DC.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit\nobjectives.\n\n\n                                           16\n\x0c                          INTERNAL CONTROLS\n\nInternal control is an integral component of an organization\xe2\x80\x99s management that provides\nreasonable assurance that the following objectives are being achieved:\n\n   \xe2\x80\xa2   Effectiveness and efficiency of operations,\n   \xe2\x80\xa2   Reliability of financial reporting, and\n   \xe2\x80\xa2   Compliance with applicable laws and regulations.\n\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet its\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the\nsystems for measuring, reporting, and monitoring program performance.\n\n\n\n Relevant Internal Controls\n               We determined the following internal controls were relevant to our audit\n               objectives: Single Family\xe2\x80\x99s controls for\n\n                  \xe2\x80\xa2   Identifying risk related to its programs and/or administrative\n                      functions.\n\n                  \xe2\x80\xa2   Evaluating its programs, systems, accounting functions, and\n                      administrative activities to determine whether adequate control\n                      techniques exist and to identify material and other weaknesses in\n                      internal controls.\n\n                  \xe2\x80\xa2   Risk-based monitoring to identify and target management attention\n                      and resources to program activities and participants that represent the\n                      greatest risk to program missions and are the most susceptible to\n                      fraud, waste, and mismanagement.\n\n                  \xe2\x80\xa2   Performing front-end risk assessments to determine the susceptibility\n                      to waste, fraud, abuse, and mismanagement of new or substantially\n                      revised programs and administrative functions.\n\n                  \xe2\x80\xa2   Identifying, planning, and implementing corrective actions to\n                      improve internal controls.\n\n               We assessed the relevant controls identified above.\n\n\n\n\n                                            17\n\x0c           A significant weakness exists if management controls do not provide\n           reasonable assurance that the process for planning, organizing, directing, and\n           controlling program operations will meet the organization\xe2\x80\x99s objectives.\n\nSignificant Weaknesses\n           Based on our review, we believe the following items are significant\n           weaknesses:\n\n               \xe2\x80\xa2   Single Family did not perform a formal, systematic annual risk\n                   assessment of its programs and administrative functions.\n\n               \xe2\x80\xa2   Single Family did not plan and conduct ongoing management control\n                   reviews or alternative management control reviews of its programs.\n\n               \xe2\x80\xa2   Single Family did not have an overall strategy regarding its risk-\n                   based monitoring of activities and participants.\n\n               \xe2\x80\xa2   Single Family did not identify corrective actions required to\n                   improve its management controls in a timely manner.\n\n\n\n\n                                         18\n\x0c                        APPENDIXES\n\nAppendix A\n\n     AUDITEE COMMENTS AND OIG\xe2\x80\x99S EVALUATION\n\n\nRef to OIG Evaluation        Auditee Comments\n\n\n\n\nComment 1\n\n\n\n\n                            19\n\x0cRef to OIG Evaluation    Auditee Comments\n\n\n\n\nComment 2\n\n\n\n\n                        20\n\x0cRef to OIG Evaluation    Auditee Comments\n\n\n\n\n                        21\n\x0c                     OIG Evaluation of Auditee Comments\n\n\nComment 1   We revised the draft report to further recognize that Single Family has\n            elements of a control structure in place and is implementing a plan to\n            further address its internal control needs. However, we did not determine\n            whether the new internal plan complies with GAO internal control\n            standards or HUD Handbook 1840.1, REV-3.\n\nComment 2   As stated in the report, we analyzed the process used by Single Family\xe2\x80\x99s\n            board of directors and the operational tools employed, and concluded that\n            these did not substitute for fully implementing an efficient and effective,\n            comprehensive internal control structure. The processes and tools used by\n            Single Family were elements of an internal control structure but did not\n            more than compensate for the requirements stated in HUD Handbook\n            1840.1, REV-3.\n\n\n\n\n                                        22\n\x0c"